Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/da_667/statuses/111109191465278888">da_667 (da_667@infosec.exchange)'s status on Sunday, 19-Oct-2025 10:59:49 JST</a><a href="https://infosec.exchange/@da_667" title="da_667@infosec.exchange"><img src="https://gnusocial.jp/avatar/30576-48-20251105181522.webp" width="48" height="48" alt="da_667" style="position: absolute; left: 0; top: 0;">da_667</a></section><article><p>Time for me to reiterate why I think DOH is fucking garbage. This is the cliffnotes version:</p><p>-If you read the RFC, never once is privacy listed as a goal for the protocol<br>-Ostensibly, you get some privacy on the first hop, but from there, you have zero guarantees on literally anything. You have promises from various companies, but that doesn't mean jack shit.<br>-I'd like you to consider that cloudflare doesn't have a good track record of policing abuse of their platforms, they tacitly support white supremecists and terrorists, they've been known to forward abuse requests containing personal information of those who have submitted them to their abusers, and they have zero financial incentive to stop the flow of traffic. THIS INCLUDES MALWARE, THERE IS SO MUCH FUCKING MALWARE USING CLOUDFLARE. They are a default DoH provider choice in the major browsers that support it.<br>-Transaction ID is always set to zero for DoH requests to improve caching. This is actually written into the protocol. Y'all know why the transaction ID/DNS ID exists, right? This opens up attack paths for man in the middle attacks. Think QUANTUM and PRISM-type bullshit, where the answer to your DNS query is changed but you'll never know.<br>-The only goal of the protocol was to move DNS resolution to the browser, so that the browser is cognizant of how domains are being resolved. Its anti-adblocking tech. <br>-Think about who the major players are behind DoH - It was driven by Cloudflare, Mozilla, and Google. and while I like Firefox, they all have financial incentive to see how domain resolution is occuring and ensure ads are delivered to clients. Y'all are aware of google's Web Integrity web DRM shit, right? How much you wanna bet that if it becomes a standard, there will be websites popping up whereby resolution via DoH is required for viewing the content? I wonder why that would be?<br>-Flow analysis easily reveals which HTTPS traffic is likely to be DoH traffic. You can't hide connection metadata.<br>-Several tools have been developed to used DoH as C2, and even file storage, if you're brave enough.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5777425#notice-11338021">In conversation</a><time datetime="2025-10-19T10:59:49+09:00" title="Sunday, 19-Oct-2025 10:59:49 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@da_667/111109191465278888" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@da_667/111109191465278888">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
da_667 (da_667@infosec.exchange)'s status on Sunday, 19-Oct-2025 10:59:49 JST da_667
Time for me to reiterate why I think DOH is fucking garbage. This is the cliffnotes version:
-If you read the RFC, never once is privacy listed as a goal for the protocol
-Ostensibly, you get some privacy on the first hop, but from there, you have zero guarantees on literally anything. You have promises from various companies, but that doesn't mean jack shit.
-I'd like you to consider that cloudflare doesn't have a good track record of policing abuse of their platforms, they tacitly support white supremecists and terrorists, they've been known to forward abuse requests containing personal information of those who have submitted them to their abusers, and they have zero financial incentive to stop the flow of traffic. THIS INCLUDES MALWARE, THERE IS SO MUCH FUCKING MALWARE USING CLOUDFLARE. They are a default DoH provider choice in the major browsers that support it.
-Transaction ID is always set to zero for DoH requests to improve caching. This is actually written into the protocol. Y'all know why the transaction ID/DNS ID exists, right? This opens up attack paths for man in the middle attacks. Think QUANTUM and PRISM-type bullshit, where the answer to your DNS query is changed but you'll never know.
-The only goal of the protocol was to move DNS resolution to the browser, so that the browser is cognizant of how domains are being resolved. Its anti-adblocking tech.
-Think about who the major players are behind DoH - It was driven by Cloudflare, Mozilla, and Google. and while I like Firefox, they all have financial incentive to see how domain resolution is occuring and ensure ads are delivered to clients. Y'all are aware of google's Web Integrity web DRM shit, right? How much you wanna bet that if it becomes a standard, there will be websites popping up whereby resolution via DoH is required for viewing the content? I wonder why that would be?
-Flow analysis easily reveals which HTTPS traffic is likely to be DoH traffic. You can't hide connection metadata.
-Several tools have been developed to used DoH as C2, and even file storage, if you're brave enough.
In conversationabout a month ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice